Even if you have the best security in place, there is still one danger: social engineering. It is not a new danger by any means, but most people have never heard of it before. Most people have heard of it by another name; ‘con.’ It is the skill of manipulating people to take a particular action or divulge private information. The social engineer is a select type of hacker. They skip the hassle of coding and attack the weakest point in any security – the employees. A cheap disguise, phone call, or average looking email could be all it takes to gain access to your network. This ill-gained access will be despite the substantial-tech protections you have in place.
In the following, I list a few examples of how social engineers’ work:
The con will imitate a co-worker, friend, or customer who needs some specific information, and they need it now. It may be login credentials, shipping address, or some other personal data they pretend to know but do not have in front of them at the time. They may even tell you in the email from where to get the data. This hacker could also make the request seem urgent or communicate the fear they may get in trouble with a supervisor if they do not get the information requested. Being that you train and hire employees to be team players, they naturally lean in to help and send a quick reply.
The hacker will pose as a government official, customer, or IT support. In doing so, the con will immediately convince employees to give out information like their login password. These sorts of attacks are much harder to identify. The hacker can use sound effects in the background, like a crying baby or call-center noise, to be persuasive and trigger empathy and trust from your employees.
Uniformed repairers and delivery people often get past people without a question or second look. In disguise as a utility person or some other service role, this social engineer will make their way quickly into sensitive parts of your business. Once they are inside, they can become invisible and free to install listening devices on your network, read your Post-it notes with sensitive data, or even tamper with other aspects of your business.
The when, where, and how a social engineer will attack is impossible to predict. The attacks I listed above are not super sophisticated; however, they are super effective. Regretfully the training you provided employees to be team players and helpful, although good for teamwork and customer service, is a weakness for the social engineer.
So, what can one do to protect their employees, customers, and business? For example, your receptionist taking calls all day would be at a higher risk than the factory worker on the floor. My recommendation is to conduct cyber-security training for every level of risk identified. Focus on response to different scenarios that could present to them. Do not take social engineering lightly. It is far too dangerous and far too common for comfort.
Do you have any suggestions, comments, tips, or questions to add to HOW TO PREVENT YOUR BUSINESS FROM BEING A VICTIM OF SOCIAL ENGINEERING? If you do, please provide them here. We welcome all input, concerns, questions, and feedback, so feel free to Contact Us.
Want to start receiving posts and articles about IT information? START HERE!